Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Details of Apple iCloud Keychain Flaw Emerge at Black Hat

LAS VEGAS—Apple's iCloud Keychain is a critical piece of technology that provides users of Apple's devices with password management capabilities, making it a lucrative target for hackers. Until March of this year, iCloud Keychain and the hundreds of millions of users who rely on it were at risk due to a vulnerability in how the encryption was implemented.

Alex Radocea, founder of Longterm Security, disclosed the iCloud Keychain vulnerability, identified as CVE-2017-2448, to Apple in January. Apple issued a patch in March with the iOS 10.3 and macOS 10.12.4 updates. At the time of the patch, Apple's advisory provided only a few details about what the flaw actually was.

"An attacker who is able to intercept TLS connections may be able to read secrets protected by iCloud Keychain," Apple's advisory stated. "In certain circumstances, iCloud Keychain failed to validate the authenticity of OTR packets."

At the Black Hat USA conference here, Radocea provided significantly more detail. In a session as well as a press conference, he revealed more insight into how he found the flaw and how bad it could have been for Apple's user base had it not been patched.

Related Reading

"We took a look at how Apple's end-to-end encryption with iCloud worked, and we found a flaw," Radocea said. "It was exactly the kind of flaw that the FBI would purchase from someone to gain access into a device."

The flaw that Radocea found was in open source code that Apple was using as part of its iCloud Keychain implementation. The company uses the Off The Record (OTR) protocol, which was originally used in the AOL Instant Messenger (AIM) platform to help keep messages private.

"We found a flaw in the OTR signature verification that would basically let someone intercept secrets and the attack could be performed silently on users," he said.

While Apple now has a limited security bug bounty program, Radocea didn't submit his flaw as part of the program and as such he noted that he did not receive any reward or bounty from Apple for disclosing it.

Watch the full video with Alex Radocea above.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.